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We describe new unconditionally secure bit commitment schemes whose security is based on 
Minkowski causality and the monogamy of quantum entanglement. We first describe an ideal scheme 
that is purely deterministic, in the sense that neither party needs to generate any secret randomness 
at any stage. We also describe a variant that allows the committer to proceed deterministically, 
requires only local randomness generation from the receiver, and allows the commitment to be 
verified in the neighbourhood of the unveiling point. We show that these schemes still offer near¬ 
perfect security in the presence of losses and errors, which can be made perfect if the committer 
uses an extra single random secret bit. We discuss scenarios where these advantages are significant. 


Introduction Relativistic quantum cryptography exploits the combined power of Minkowski causality and 
quantum information theory to control information in order to implement cryptographic tasks. A variety of interesting 
tasks (e.g. 0®) are now known to be achievable, either with unconditional security or with security significantly 
enhanced relative to classical protocols. There has also been progress in characterising fundamental constraints 
imposed on quantum information tasks by Minkowski causality 111) 1 21. 

The first significant application of relativistic cryptography was to bit commitment Bi®®, a basic cryp¬ 
tographic primitive which has many applications and which cannot be implemented securely by using quantum 
information alone 2-171 ■ Several classical and quantum relativistic bit commitment protocols have now been proven 
secure B |TT|, fl3l.[2d 22, 28| . The feasibility of secure relativistic quantum bit commitment has also been demonstrated 
experimentally 0, l23j |. The feasibility of classical relativistic bit commitment has also been investigated 1,0 with 
a view to near term implementation [2J] . 

Nonetheless, the full range of possibilities for relativistic quantum bit commitment protocols has not yet been sys¬ 
tematically explored, nor arc all the possible tradeoffs between security advantages and requirements well understood. 
We are motivated to address these questions both because they are practically relevant and because the answers 
illuminate the general properties of relativistic quantum information and its relationship to cryptography. 

Existing relativistic classical and quantum bit commitment protocols BIS 0 require at least one party to 
locally generate and then securely store and/or distribute secret classical random strings. While this is a reasonable 
capability to assume in many cryptographic contexts, it may not always be practical. For example, if protocols 
are being implemented over a network of many sites, it may not necessarily be desirable to set up random number 
generators or secure classical memories at every site. 

One might at first think that quantum protocols cannot have any advantage here, since if a party can securely and 
reliably prepare, distribute and measure entangled quantum states, they can obtain secure classical random strings 
from those states as and when required. In many scenarios this argument may indeed apply. However, quantum 
information has security advantages compared to classical information, particularly when one considers a protocol as 
part of a larger cryptographic exchange. For example, if a party is concerned that there has been a security breach 
at one of their sites, they can check whether a distributed quantum state remains in the correct form, whereas they 
cannot tell for sure whether a purportedly secret distributed classical random string has been read at some location 
by an adversary. 

These points, alongside interest in understanding better theoretically the relationship between relativistic quantum 
information and cryptography, motivate us to consider relativistic quantum bit commitment protocols that require 
less secret classical randomness, or even none. We describe here two entanglement-based relativistic bit commit¬ 
ment protocols that minimize the need for classical randomness: indeed, one of them, in its ideal form, requires no 
randomness at all. Their security can be understood as a consequence of the monogamy of quantum entanglement. 

Bit commitment A bit commitment protocol involves two mistrustful parties who control disjoint secure 
regions (laboratories) and exchange information. The committer, Alice, carries out actions that commit her to a 
particular bit value (or, in the quantum case, a particular superposition of bit values). She can later, if she chooses, 
give the receiver, Bob, classical or quantum information that unveils the committed bit. Ideally, the protocol should 
rely only on physical principles to guarantee to Bob that Alice is committed by her initial actions, and to Alice that 
Bob can learn no information about the committed bit unless and until she unveils. 

When considering relativistic bit commitment protocols, these definitions need to be framed more carefully 0- In 
such protocols, both Alice and Bob are represented by networks of collaborating agents distributed appropriately in 
space-time. All of Alice’s agents are assumed to be acting with perfect trust in one another. However, at any given 
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time (in some fixed reference frame), they do not necessarily all have the same information, both because they are 
separated in space and because quantum information cannot be broadcast. The same applies to Bob’s agents. 

In standard relativistic bit commitment protocols, the commitment is carried out by one of Alice’s agents. In an 
idealized model, this agent acts at a single point in space-time; more realistically she acts within a spatially small 
secure laboratory during a small time interval. The unveiling may be carried out by any number of Alice’s agents, 
possibly including the committing agent. In principle a protocol could require agents to follow any specified causal 
paths in space-time. However, we usually assume there is a natural inertial frame with respect to which they are 
all stationary, so that they are located at fixed points in space (or within fixed small laboratories) throughout the 
protocol. Since we allow arbitrary numbers of agents, this loses no generality, so long as we assume that Alice’s 
agents have secure classical and quantum communication channels. (Note, however, that this last assumption may 
not always be justified; if not, the possibility of mobile agents should be kept in mind.) 

Security definitions One needs to be careful about what, precisely, a bit commitment protocol is intended 
to guarantee in relativistic scenarios. Specifically, one needs to be clear which agent (or combination o f ag ents) is 
(are) committed at which point(s). We follow the physically motivated definition first set out in Ref. [ll(, which 
requires that a bit commitment should guarantee that the committed data was available to and input by Alice’s 
committing agent A c at the space-time point where the commitment occurs. This definition allows for the possibility 
of A c inputting a quantum superposition of the values 0 and 1. However, it excludes protocols in which the unveiling 
agents could influence the value of the unveiled bit by using correlated information that they acquired independently 
of A 0 [HI . 1 

Let the agents involved in the unveiling be A t (i = 0,1,...). Let po(S) and pi(S) be the probabilities that, by 
following some collective strategy S , they persuade Bob that, according to the rules of the protocol, they have validly 
unveiled 0 or 1 respectively. 

We say a relativistic quantum bit commitment protocol is unconditionally secure against Alice if, given any com¬ 
mitment actions by A c that Bob will accept as valid, and any strategies S and S' by the unveiling agents A,; that are 
allowed by quantum theory and special relativity, we have po{S) + Pi(S') < 1 + e{N), where N is a variable security 
parameter of the protocol and e(N) —>■ 0 as N —> oo. 

In the protocols we consider below, there are two unveiling agents Aq and A\ , whose actions are spacelike separated 
from each other and from those of A c . The probability of a successful unveiling of bit value i depends only on the 
actions of agent At. A collective strategy S may be fixed by Alice before the protocol, or Alice’s agents responsible for 
unveiling 0 and 1 may independently choose their strategies after the commitment time, possibly conditioned on events 
in the past lightcone of their verification point but not of the commitment point. We subsume the latter possibility 
under the former by allowing any strategy S to include steps in which agents make strategic choices with probabilities 
conditional on certain external events, with those events themselves now explicitly included in the description of 
strategy S. Any strategy whereupon the conditional probabilities for these choices are nontrivial may be written as a 
convex combination of deterministic strategies, so no probabilistic strategy can have greater success probability than 
the most successful deterministic strategy. 

For protocols of the type we consider we can thus simplify the above definition: such a protocol provides uncondi¬ 
tional security against Alice if any only if for any collective strategy S which is possible according to quantum theory 
and special relativity, po(S) +pi(S) < l+e(N) and e(N) —>- 0 as TV —>- oo, where A' is a variable security parameter of 
the protocol, and po(S) and Pi(S) are the probabilities that, by following strategy S, Alice and her agents persuade 
Bob that they have validly unveiled 0 or 1 respectively according to the rules of the protocol. 

We say a relativistic bit commitment protocol is unconditionally secure against Bob if, whatever strategy Bob’s 
agents follow, if Alice’s agents choose not to unveil, then the probability of any of Bob’s agents correctly guessing the 
committed bit at any point in space-time is bounded by l/2 + e'(A), where e'(N) —> 0 as N — > oo. It follows from this 
definition, by the no-signalling principle, that when Alice does choose to unveil, Bob cannot guess Alices commitment 
anywhere that does not lie in the future lightcone of the unveiling points. 

In the protocols we consider below, Alice has one committing agent, A c , and two unveiling agents, Aq and Ai, who 
can unveil a valid commitment to b = 0 and 1 respectively. An additional security criterion may be required for such 
protocols: that if A c does not make a valid commitment to bit value b, A/, follows the unveiling protocol and A 5 does 
not, then Bob’s agents, at any point in space-time, should gain no information about whether A c committed to bit 
value b or declined to make a valid commitment. As we explain below, with simple modifications, our protocols also 
satisfy this criterion. 

Relation of commitment and unveiling points Another issue is what exactly is meant by the unveiling 
taking place “later” than the commitment in Minkowski space. In some quantum relativistic bit commitment protocols 


1 Following Ref. 0, another discussion of security definitions from a somewhat different perspective was given in Ref. [ 2 H . 
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[l3!,[28j|, the unveiling points are in the lightlike causal future of the commitment point. In the idealized case in which 
agents are pointlike and their actions are instantaneous, these protocols guarantee that the committing agent was 
committed at the commitment point, in the sense given above. In such protocols, the statement that the unveilings 
are later than the commitment is true independent of the frame. We call these lightlike causal (LC) relativistic bit 
commitments. 

We wish here also to consider protocols in which the unveiling points are space-like separated from the commitment 
point. The most obviously interesting case is that in which all unveiling points are later than the commitment point 
with respect to some fixed frame F. We call such protocols fixed frame positive duration (FFPD) relativistic bit 
commitments. 

Generally, if there is a fixed frame F' in which all the agents are stationary during the protocol, we will take F' = F. 
One motivation for considering this case is that it allows us to consider sequences of protocols in which the unveiling 
points tend towards the future light cone, and so to relate LC and FFPD commitments. Another is that there are 
many practical situations - such as protocols carried out on terrestrial computer networks - in which there is a 
generally agreed (approximately) inertial frame and time coordinate. In such scenarios, commitments are potentially 
useful provided they have a positive duration with respect to this coordinate. A third motivation is the possibility of 
sustaining a bit commitment for several rounds by using sequences of protocols with space-like separations, as in the 
examples of Refs. @, 0. In this case, the geometry can be chosen so that any or all possible final unveiling points are 
in the causal future of the commitment point. A sequence of LC and/or FFPD relativistic bit commitments can thus 
produce a timelike causal (TC) relativistic bit commitment: that is, a commitment in which all the unveiling points 
are in the timelike future of the commitment point. 

As usual in quantum cryptography, we initially present our protocols in an idealized form assuming perfect quantum 
state preparations, transmissions, measurements and computations. However, the protocols are tolerant to errors and 
losses, as we discuss later. 

Space-time and communications We also make standard idealizations about the background geometry 
and signalling speed. We suppose that space-time is Minkowski and that Alice and Bob each have agents in secure 
laboratories infinitesimally separated from the points P, Q o and Q i, that signals are sent at precisely light speed, 
and that all information processing is instantaneous. Again, these assumptions can be relaxed. The protocols remain 
secure in realistic implementations with finite separations and near light speed communication. If these corrections 
are small, the only significant effect is that Bob is guaranteed that Alice’s commitment is binding from some point P' 
in the near causal future of P, rather than from P itself fl3| . Allowing for small deviations from Minkowski geometry 
also requires small corrections to the geometry when stating the security guarantees, but does not essentially affect 
security beyond that 0. 

Geometry Alice and Bob agree on a space-time point P, an inertial set of coordinates (x, y , z, t ) for Minkowski 
space, with P as the origin. We focus here on the simplest case in which there are two possible unveiling points Qq 
and Qi, both space-like separated from P: the protocols straightforwardly extend to versions with N unveiling points 
committing log(TV) bits. Alice and Bob each have agents, who during the protocol are separated in secure laboratories, 
adjacent to each of the points P, Qq, Q\. To simplify for the moment, we take the distances from these labs to the 
relevant points as negligible. Although it is not necessary for much of our discussion, we assume that Qq and Q i 
have positive time coordinates in the given frame, so as to define FFPD relativistic bit commitments. Let the agents 
adjacent to P be A c and B c , and those adjacent to Qi be Ai and Bi. 

In the following protocols, for definiteness, we describe a procedure in which Alice and her agents exchange qubits 
by secure physical transportation in the preparation phase. However, they may alternatively employ teleportation 
or a secure quantum channel without significantly altering the protocols’ security. Likewise Bob and his agents may 
exchange qubits by any secure means. Bob may also arrange to combine his qubits at a variety of locations, depending 
on where he wishes to verify the unveiled bit. 

ETBC: Simple Entanglement transfer protocol 

Preparation 1. A c prepares a total of 2 N Bell pairs in the state T~; let the qubits in the first N pairs be 
(Wq_ p, Wqq) and the second N pairs {W( p ,WIq), where j £ [1, N]. She retains the qubits W- P , gives the qubits W^q 
to Aq and gives the qubits W(q to A\. 

2. Aq and A\ travel to locations adjacent to the spatial coordinates of Qq and Q\. We assume that A c , Aq and 
A± have secure laboratories that protect their qubits, so Bob cannot interfere with them in any way after the initial 
preparation. In particular, Aq and A\ travel within secure laboratories. 

Commitment At the designated commitment point P, A c gives B c a set of N labelled qubits Q J a . If she wishes 
to commit to bit value i, these are the qubits W- P , for j £ [1, AT], labelled in sequence. 

Unveiling If the agent A, believes Alice wishes to unveil, she gives the labelled qubits W/q to Bob’s agent li, . A c 
(and/or, if preferred, one or both of the Af) also sends to Bob’s neighbouring agent a classical message stating the 
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bit value b. (Note that in principle the agents A c , Aq and Ai may make these decisions independently. To coordinate 
them and ensure that all or none unveil, Alice needs to give them instructions in advance. These instructions could 
depend on separate events in the past light cones of their unveiling decision points, if Alice knows these events will 
be correlated.) 

Verification Once at least one of Bob’s agents knows the claimed bit value b, they securely transmit to one 
agent (for example B c or Bb) all the qubits given to B c and to Bb■ The receiving agent then carries out projective 
measurements in the Bell basis on the qubits (Q J a , W£q) for each j £ [1, AT]. If they get outcomes corresponding to 
the Bell state for all j, Bob accepts that Alice made a valid commitment to bit value b. (As noted above, this 
verification step can be carried out at a location of Bob’s choice: for example, it could be made by an agent half-way 
between B c and Bb-) 

Security against Alice We prove security against Alice assuming the validity of quantum mechanics and 
assuming that Bob’s measuring devices are reliable. (Neither this protocol nor the variation considered below gives Bob 
device independent security or security against adversaries who can exploit hypothetical post-quantum non-signalling 
theories.) 

Write the Hilbert spaces for the N qubits held by Bq, Bi and B c as Hq , Hi and H 2 respectively, and write 
H = H\ <g> H 2 <8> Hq. Bob tests for a purported commitment to zero by a measurement defined by the projection 

P 0 = ®fM®Mo Mo)' 

Bob tests for a purported commitment to one by a measurement defined by the projection 

Pi = ®f =1 (l*->1 2 (MM- 

Here I k is the identity operator on the j-th qubit in H k and is a Bell state of the j-th qubits in H k ® Hp The 

operator Q = PqPi can be written as Q = 0jLiQj, where Qj acts on the triple of j-th qubits from each Hilbert space 
and has operator norm \Qj\ = 1/2; hence Q has operator norm |Q| = 2~ w . 

For any state \if>) defining triples of N qubits that Alice might hand over to B c , Bq and B 1, we thus have 

IQ Ml = |p 0 M - p 0 (i - A) MI 

> |p 0 M | - |P 0 (i - Pi) MI 

> |PoMl-|(i-Pi)MI 

> (pl /2 -(l-Pi) 1/2 )) 

where po and pi are the respective probabilities of successfully persuading Bob that 0 and 1 was unveiled using the 
state \ip). 

This gives that Pq + Pi < 1 + 2~ N+1 + 2~ 2N . As this holds for any possible state \ip), it implies security (in the 
standard sense [(A ll.ll l28| for a relativistic quantum bit commitment) with security parameter N. 

Security against Bob At commitment, Bob receives a set of N qubits entangled with another N qubits not 
in his possession. They have the same reduced state (a uniform mixture) regardless of the committed bit. He thus 
cannot obtain any information about the bit before unveiling. 

ETRBC: Entanglement transfer protocol with randomisation In this variation, Alice follows the pro¬ 
tocol above, but now B c randomly selects half the qubits given to him to send securely to Bq , sending the other half 
to Pi. This allows both B 0 and Bi to directly test the bit value as soon as they receive these qubits. 

Preparation 1 . A c prepares 2 N Bell pairs, (Wq P , Wqq) and (W( P , W(q) with j e [1, A], in the state \I/ _ . She 

gives the qubits Wqq to Aq and the qubits W(q to Ai. We take N even for simplicity. (The protocol can easily be 
varied to also allow for odd N.) 

2 . A 0 and Ai travel to locations adjacent to the spatial coordinates of Q 0 and Qi- We assume that A c , A 0 and 
Ai have secure laboratories that protect their qubits, so Bob cannot interfere with them in any way after the initial 
preparation. In particular, Aq and Ai travel within secure laboratories. 

Commitment At the designated commitment point P, A c gives B c a set of N labelled qubits Q 3 a . In order to 
commit to bit value 0, she gives him the qubits Wq P \ in order to commit to bit value 1, she gives him the qubits W 3 P . 

Distribution B c sends a randomly selected size N/2 subset Jq of his received qubits to Bq and the remaining 
subset, Ji, to B\. All qubits are sent with the corresponding labels j. 

Unveiling If the agent Ai believes Alice wishes to unveil, she gives the labelled qubits W?q to Bob’s agent Bi. (A c 
and/or either or both of the Ai may also send to Bob’s neighbouring agent a classical message stating the bit value 
b if they wish, although it is not necessary in this protocol. In any case, as in the previous protocol, some advance 
instructions from Alice are needed to ensure any unveiling decisions are coordinated.) 
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Verification Once he has received the qubits sent by B c , Bi carries out projective measurements in the Bell basis 
on the qubits (Q J a , W/q) for each j £ Ji. If £>, gets outcomes corresponding to the Bell state ’I' - for all j £ Jj he 
accepts that Alice made a valid commitment to bit value i. 

Security against Alice Again, we prove security against Alice assuming the validity of quantum mechanics 
and assuming that Bob’s measuring devices are reliable. 

Write the Hilbert spaces for the N qubits held by Bq , Pi and B c as Hq, Hi and H 2 respectively, and write 
H = H\ Cg> H 2 ® Hq. Bq tests for a commitment of zero by a measurement defined by the projection 

^ 0 Jo = « |*->20 <*- l 2 o ) ■ 

Bi tests for a commitment of one by a measurement defined by the projection 

Suppose that Alice prepares a state | i/j) such that the probability of passing the test for zero is p > Po- Then there 
must be at least one subset Jo for which this probability is at least p 0 , i.e. for which 

Po° = (V’l p o° IV 1 ) > Po ■ 

Consider any subset J' Q such that Jo H J' 0 < N/3. 

By a similar argument to that above, we obtain 

|P 0 Jo Pi J i| < 2 ~ n/6 . 

and 

pf < 1 + 2~ n / 6+1 + 2~ n / 3 -Pq° <l-p 0 + 2~ n / 6+1 + 2 -JV / 3 . 

Now the proportion of subsets J' Q with Jo fl Jq > N/3 falls off exponentially with N: to leading order it is 
bounded by (N/ 6)(2 _ 1 °/ 6 3)E Hence the overall probability of bit value one being accepted, pi, is bounded by 
Pi < 1 - Po + 2~ n / 6+1 + 2 -JV / 3 + 0(N/ 6(2- 1 °/ 6 3) jv ), again giving security with security parameter N. 

Security against Bob As before, at commitment, Bob receives a set of N qubits entangled with another N 
qubits not in his possession. They have the same reduced state (a uniform mixture) regardless of the committed bit. 
He thus cannot obtain any information about the bit before unveiling. 

Errors and Losses In any realistic implementation, Alice’s state preparation and Bob’s measurements will 
be imperfect and their communication channels and storage devices will have some noise and losses. To show that 
the protocols will be feasible with sufficiently good, but imperfect, technology we need versions adapted to allow for 
some non-zero level of errors and losses. 

We first assume that Bob follows the protocol and measures each purported singlet separately, and that the errors 
and losses for each singlet are small and statistically independent. 

For protocol ETBC, in this error model, Bob can test for a purported commitment of zero, with negligible probability 
of getting a false negative result, by checking that he gets positive answers for a proportion (1 — e)N of tests for the 
singlet |’F_) 20 , where e > 0 is small. The error model implies that the probability of a state \ip) passing the test is no 
more than |Pq \if>) | 2 + 7 (6, N). 

Here Pq = E m =(i -S)n P^, where <5 > e is also small, and chosen so that 7 (S,N) —> 0 as N —>• 00. The operator 
P^ is the projection onto the subspace of states spanned by states of the form <g)A x |^'i) 2 o |$t)ii where the |4 , i ) 20 are 
Bell states, of which precisely m are |’F_), and the |$ i ) 1 are arbitrary qubits in Hi. 

Bob similarly tests for a purported commitment of one by checking that he gets positive answers for a proportion 
(1 —e)N of tests for the singlet |^_) 12 . The probability of a state | ip) passing this test is (up to negligible quantities) 
no more than |Pf |i/>) | 2 + 7 (6, N), where Pj 5 = Em=(i-< 5 )jv P^ is defined similarly. 

The operator Pq can be written as a sum of E^fo C^_ X 3 X terms involving one-dimensional projectors onto tensor 
products of Bell states in P 2 Cg> Hq, tensored with the identity on H\. The operator P-f can be written similarly, using 
Bell state projections on Hq® H\. The operator Q s = Pq P-f can thus be written as a sum of (Ex=o C n-x 3 x ) 2 ran k 
one operators, each of which has operator norm no more than 2~ N+2SN . This gives the (weak, but adequate for our 
purpose) bound |Q 5 | < 2~ N+26N 3 2SN (N5 + 1 ) 2 (C//_ NS ) 2 , which tends to zero for large N and fixed small <5. The 
security argument then runs as before. 

The security proof for protocol ETRBC similarly extends to cover small levels of errors and losses under the 
assumptions above. 


6 


For completeness, we should note another possible security issue. If the errors in Alice’s singlet state preparations 
vary over time in some predictable way, then the reduced density matrices for the states handed over to B c by A c may 
also vary predictably. Given a deterministic protocol, we have to assume that the order in which A c labels the singlets 
after producing them is public information. B c might then be able to infer some information about the committed 
bit by measuring these states, without waiting to combine them with states returned by the A*. 

This may not seem a significant practical worry, since in practice one might reasonably expect the predictable 
component of any variation in Alice’s preparation devices to be very small. Moreover, some deterministic strategies 
could reduce it further. For example, the information revealed by a monotonic drift of some parameter over time 
could be greatly reduced by taking the odd time ordered singlets produced (the 1st, 3rd, and so on) to be the first N 
for the protocol, and the even ordered to be the second N. Still, any predictable variation prevents perfect security 
against Bob, according to our definition. This concern can be eliminated if A c groups the states into two batches of 
N singlets by some deterministic method, and then decides randomly which batch is labelled from 1 to AT and which 
from N to 2N. This requires her to generate and keep secure a single random bit. 

Discussion 

Ideal case: no losses or errors The first protocol has a theoretically interesting advantage over any previous 
relativistic bit commitment protocol in that it is deterministic: neither party needs to make any random choices of 
classical data or quantum states. It thus satisfies the strongest possible form of Kerckhoff’s cryptographic principle 
that a cryptographic system should be secure even if everything about it except the choice of key is public knowledge: 
here, neither party even needs a secure key. Generating secure randomness is itself a cryptographic problem that 
requires extra security assumptions, or trusted secure quantum devices, or both. Eliminating any need for it requires 
fewer resources and removes some potential security issues. 

These advantages come at a price. Bob does not know whether Alice will choose to unveil a commitment to 0 or 
to 1, and the no-summoning theorem 0 prevents him from having the qubit Q a available at spacelike separated 
points along the different directions associated with 0 and 1, the time between Alice’s unveiling and the earliest time 
at which Bob can verify her commitment is twice as long for this variation. In time-sensitive situations this may be 
a disadvantage. 

This is what motivates the second version of our protocol. It eliminates this potential drawback by allowing each 
Bi to test whether the bit is i at the earliest possible point, as soon as a light signal from B c reaches them. After 
these points, Alice has essentially zero probability of both persuading Bq that the bit might be 0 and B i that the 
bit might be 1. The cost of this advantage is that B c needs to be able to generate a classical random string that 
is secure, at least in the sense that Alice cannot predict it in advance. The string may be generated immediately 
after B c receives his qubits from A c , and it does not matter if Alice immediately learns the string. This is still less 
demanding than requiring Bob to generate a secure random quantum state or sequence of states and keep its classical 
description secure 0, HU . The protocol also has an advantage over purely classical relativistic protocols @ in that 
Alice does not need to generate any secure random data. 

Losses and errors As shown, our protocols can be modified to tolerate small losses and errors. The comments 
above continue to apply, with one small but important qualification. If Alice wishes to eliminate any information 
leaking to Bob because of potentially predictable variation in Alice’s state preparation, our strategy needs A c to 
generate and keep secure a single random bit for each committed bit. This is a minimal additional security requirement, 
and needed only to eliminate for what in practice might often be a negligible leakage of information. Still, it should 
be kept in mind when making comparisons. 

Need for trusted devices Both protocols require Bob to rely on his devices to correctly implement projective 
measurements for Bell states, up to known small levels of losses and errors. The protocols as stated are thus not fully 
device independent. It also follows that they rely for their security on the validity of quantum theory (not just on 
the no-signalling principle). However, the protocols can be modified to give device independent versions by replacing 
verification steps by (for example) CHSH tests: we will give a detailed discussion elsewhere 0. 

Other comments Note that, like all technologically unconstrained quantum bit commitment protocols (0 . [27| , 
our protocols do not prevent Alice from committing to a quantum superposition of bits. She can simply input a 
superposition a |0)+/3 |1) into a quantum computer programmed to implement the two relevant quantum measurement 
interactions for inputs |0) and |1) and to send two copies of the quantum outcome data towards Q o and Q i, and 
keep all the data at the quantum level until (if) she chooses to unveil. This gives her no advantage in stand-alone 
applications of bit commitment, for example for making a secret prediction: it does, however, mean that one cannot 
assume that in a task involving bit commitment subprotocols, any unopened bit commitments necessarily had definite 
classical bit values, even if all unveiled bit commitments produced valid classical unveilings. 

As with the protocols of Refs. [1,0,0, the present protocols can be chained together in sequence, allowing longer- 
term bit commitments and flexibility in the relation between the commitment and unveiling sites (in particular, they 
need not be lightlike separated). Full security and efficiency analyses for these chained protocols remain tasks for 
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future work. 
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